I've implemented DANE support for Postfix, but want to make the implementation a bit more robust in the face of possible future changes in OpenSSL.
I want to use SSL_CTX_set_cert_verify_callback() to how certificate verification is performed. I need to be able to selectively add/remove from the set of "untrusted" additional certificates in X509_STORE_CTX. Unfortunately, while: X509_STORE_CTX_set_chain() sets ctx->untrusted, the similarly named: X509_STORE_CTX_get_chain() returns ctx->chain, which is already populated and useful during the simpler one cert at a time verification callback, but is always empty at the start of the cert_verify_callback(). I could simply bypass the API and directly manipulate ctx->untrusted, but I am reluctant to do that. Should I go ahead and do that? Will there perhaps be a library feature that exposes the chain elements to the cert_verify_callback? -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org